New Consortium Links IT and Physical Security

Network managers have been steadily improving their track record in IT security, just in time for a new emphasis on physical security, as a regional cyber security consortium takes off.

Network security managers in some organizations are starting to work more
closely with their counterparts from the world of "physical" security.
Since 9/11, for example, the State of New York has launched a "cyber
security initiative" involving security specialists of both kinds, as well
as other IT employees. Many government officials are now advocating this
sort of "collaborative security" as a strategy for private businesses, too.

New York will now go on to spearhead a regional "cyber security consortium"
with public and private representation from all ten Northeastern states,
said William Pelgrin, director of the New York State Cyber Security and
Critical Infrastructure Coordination Initiative, speaking at a recent
meeting of the Information Technology Association of America (ITAA).

When federal government performs "gap analyses" of state cyber security
policies, New York comes out on top, said Howard Schmidt, vice chairman of
the President's Critical Infrastructure Program Board, during the same ITAA
meeting in New York City.

"The next thing we have to do is to spread (this) across all of the other
49 states, and the territories," according to Schmidt.

'Anyone with a floppy disk and a frisbee.'
"Anyone with a floppy disk and a frisbee can now go out and write a virus,
and send it out over the Internet," Schmidt noted.

Schmidt's office is now holding a series of town meetings across the US,
for public input into the Bush administration's emerging draft strategy
on "defending cyberspace."

When complete, the National Strategy for Defending Cyberspace will serve as
a companion piece to the President's National Strategy for Homeland
Security.

The main focus of the national cyberspace strategy will be "voluntary,"
according to Schmidt.

"(We don't want) regulations around specific industries any more than we
need (them)," he said. "(We're) not in the business of the Internet or IT."

"Most companies aren't doing so, but network security (managers) aren't the
problem," Sheirer elaborated, during an interview later. "IT people usually
tend to be collaborative." Sheirer is now managing director of Giuliani
Partners, a consultancy established by former NY Mayor Richard Giuliani.

Other speakers at the NY eComm Association's forum also urged private
companies to be more proactive. "Whether you're in government (or not), at
what capability are you prepared?" asked Dale Watson, principal in Booz
Allen Hamilton's Global Strategic Security Practice, and former director
and chief of counterterrorism and counterintelligence at the FBI.

IT and physical security should complement each other, suggested Dr.
Stephen Flynn, senior fellow for national security studies and the Jeane J.
Kirkpatrick Chair in National Security at the US Council on Foreign
Relations.

"We are about to engage a ruthless enemy," Flynn told the forum attendees.
"(But) we've had openness as our mantra."

According to Flynn, the US effectively imposed an economic blockade against
itself by closing all its ports when 9/11 struck.

"The only tool (was) an 'off' switch," Flynn contended "Technology is going
to be
key."

Joseph R. Rosetti, president of Safir Rosetti, and former vice chairman,
Kroll, pointed to several emerging technologies that might help out in the
physical space, including biometrics, "smart doors," and RF tagging for
container shipments.

'Protection and detection'
According to New York State's Pelgrin, "response" and "recovery" are the
two aspects of security that have traditionally gotten the most attention.

Under the administration of Governor George Pataki, though, New York State
began focusing on "protection" and "detection" back in 1996, with
activities that included public awareness campaigns and ASICs, Pelgrin
said. In 1997, the work of a state task force results in the creation of
the Office for Technology (OFT), which now consists of four sections:
Computing, Network, Applications, and Customer Relations.

Since 9/11, the New York State government has formalized and expanded on
earlier activities by starting the Office of Public Security, the Cyber
Security Task Force, and Cyber Security and Critical Infrastructure
Coordination Initiative.

After serving as director of OFT for five-and-a-half years, Pelgrin was
named in September of this year to head up the Cyber Security and Critical
Infrastructure Coordination Initiative. The OFT and state public safety
arms have been key participants in the Cyber Security Task Force, which
serves under the Office of Public Security. In his new role, Pelgrin
reports to the CIO of New York State.

The Cyber Security and Critical Infrastructure Coordination Initiatives
emphasizes "information sharing" around cyber and physical security issues
across state and local government -- and ultimately, with private industry,
Pelgrin said.

At the same time, the program is abiding by state and federal privacy laws,
he maintained during the ITAA lunch, the first in a series of ITAA meetings
being held under the umbrella title, "Information Assurance in the
States.".

Like private companies, state government also felt immediate impacts from
9/11, Pelgrin told the meeting attendees. About 2250 physical circuits were
lost. "40 agencies went down."

Right after 9/11, GIS specialists in the state capital of Albany lent a
hand to New York City by building 3-D maps that pinpointed any potential
damage to gas mains, for instance.

Pelgrin's office later identified several priority "sectors" for cyber
security, including utilities; telecom; health; finance and economy; and
government and public safety. A set of "best practices for cyber security"
is almost ready.

Different kettles of fish?
According to Akamai President Paul Sagan, though, network and physical
security are two different animals.

"In the physical world, it's a question of 'when.' But in the IT world,
'when' is not (even) a question," Sagan told the audience at the NY eComm
forum. Cyberattacks are "weekly occurrences."

Sagan acknowledged, however, that unlike their counterparts in physical
security, IT security pros are not dealing with individual "point
vulnerabilities" such as airplanes and buildings.

What can businesses do?
How can companies do a better job on IT security? Businesses are already
rolling confidentiality and privacy protections into security, Sagan said.
Now, distributed, decentralized and redundant networks need to be figured
into the equation.

"Where people fail is in thinking about availability. If your network is
brought down, (this will) render you unable to do electronic business."

When will companies add more network and/or physical security to their
infrastructures? Just after 9/11. security vendors saw a "dramatic runup"
in their stock prices, noted Brian Hayhurst, The Carlyle Group's managing
director for US Ventures, also during the NY eComm Forum.

"(Security) had the potential of becoming another bubble," according to
Hayhurst.

Meanwhile, though, a lot of customers are saying, "'I can't have more
security. I can't pass the cost along to customers,'" Sagan said.

According to Rossetti, lack of integration between "point solutions"
remains a roadblock to business spending on security. Several other
speakers mentioned a "lack of standards."

Security managers are currently getting "inundated by firms with different
technologies," Sheirer observed. The field, though, will "winnow out," he
predicted.